search

ToothlessGear / node-gcm

A NodeJS wrapper library port to send data to Android devices via Google Cloud Messaging
https://github.com/ToothlessGear/node-gcm
Other
1.3k stars 208 forks source link

dependency upgrades for vulnerabilities flagged by snyk #349

Closed marneborn closed 3 years ago

marneborn commented 3 years ago

Vulnerability in ajv (via request -> har-validator)

  Upgrade request@2.87.0 to request@2.88.0 to fix
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-AJV-584908] in ajv@5.5.2
    introduced by request@2.87.0 > har-validator@5.0.3 > ajv@5.5.2

Several snyk vulnerabilities related to lodash@4.17.10 (fixed in @4.17.20)

  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-567746] in lodash@4.17.10
    introduced by lodash@4.17.10
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-73639] in lodash@4.17.10
    introduced by lodash@4.17.10
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-590103] in lodash@4.17.10
    introduced by lodash@4.17.10
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@4.17.10
    introduced by lodash@4.17.10
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@4.17.10
    introduced by lodash@4.17.10
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@4.17.10
    introduced by lodash@4.17.10
jannomeister commented 3 years ago

@ToothlessGear can you consider to merge this PR? because some other libraries uses your library but snyk reports a vulnerability with the current version of request the package is using. 😢

Screen Shot 2021-02-23 at 11 20 56 AM
ToothlessGear commented 3 years ago

Looks fine by me, thanks!